CVE-2020-8286

CWE-295 — Improper Certificate Validation13 documents11 sources

Severity

7.5HIGH

EPSS

0.3%

top 47.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple MAC OS X Apple Macos Haxx Libcurl +10 more

Timeline

PublishedDec 14

Latest updateMay 24

Description

curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages12 packages

▶NVDhaxx/libcurl7.41.0 — 7.74.0

▶Debiancurl< 7.74.0-1+3

▶CVEListV5https://github.com/curl/curl7.41.0 to and including 7.73.0

▶NVDapple/macos11.0 — 11.3

▶NVDapple/mac_os_x10.15 — 10.15.7+3

Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33

Patches

Patch: cert-portal.siemens.com ↗Patch: hackerone.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-xh5x-q49r-r9w4: curl 7↗2022-05-24

▶

CVEList

CVE-2020-8286: curl 7↗2020-12-14

▶

OSV

CVE-2020-8286: curl 7↗2020-12-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Balances (cURL) — CVE-2020-8286↗2021-07-15

▶

Apple

CVE-2020-8286: Security Update 2021-002 Catalina↗2021-04-26

▶

Apple

CVE-2020-8286: macOS Big Sur 11.3↗2021-04-26

▶

Oracle

Oracle Oracle PeopleSoft Risk Matrix: File Processing (cURL) — CVE-2020-8286↗2021-04-15

▶

Ubuntu

curl vulnerabilities↗2020-12-09

▶

💬Community

HackerOne

CVE-2020-8286: Inferior OCSP verification↗2020-12-09

▶